CVE-2026-48110
7.5 HIGHRussh is a Rust SSH client & server library
Published: 2026-06-10 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-20
Description
Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could send oversized, high-fanout, or malformed length-prefixed fields and make the library allocate, attempt to allocate, or split data before rejecting input that should have been rejected earlier. This issue has been patched in version 0.61.0.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-49218 — ImageMagick is free and open-source software used for editing and manipulating digital images (7.5 HIGH)
- CVE-2024-21944 — Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a ... (5.3 MEDIUM)
- CVE-2026-48108 — Russh is a Rust SSH client & server library (5.3 MEDIUM)
- CVE-2026-48107 — Russh is a Rust SSH client & server library (6.5 MEDIUM)
- CVE-2026-46679 — libp2p is a JavaScript Implementation of libp2p networking stack (7.5 HIGH)